Skip to content

Hyper-V Server — PowerShell

Create the RTA VM end-to-end from an elevated PowerShell prompt: a Generation 2 VM with both VHDX disks attached and every required setting applied (Secure Boot off, MAC spoofing on, external switch). This is the fastest, least error-prone path on Windows Server.

Before you start

Review the Hyper-V Server overview. You need:

  • The two extracted VHDX disks (rta_latest.vhdx + cidata.vhdx) on the server
  • PowerShell running as Administrator
  • The Hyper-V role installed (Install-WindowsFeature -Name Hyper-V)
  • A wired Ethernet NIC with outbound internet access (for L2 engagement work)

1. Extract the disks

Extract the VHDX zip to a local path — for example C:\RTA. Confirm both disks are present:

C:\RTA\
├── rta_latest.vhdx     # appliance root disk (boot)
└── cidata.vhdx         # cidata seed disk (engagement identity)

2. Create or reuse an external switch

The appliance needs an External switch bound to a wired NIC. Reuse one if it exists, otherwise create it (expect a brief network blip while Hyper-V re-binds the NIC):

$SwitchName = "RTA-External"

if (-not (Get-VMSwitch -Name $SwitchName -ErrorAction SilentlyContinue)) {
    # Pick the wired adapter that carries the default route
    $nic = Get-NetAdapter -Physical |
        Where-Object { $_.Status -eq "Up" -and $_.PhysicalMediaType -ne "Native 802.11" } |
        Sort-Object InterfaceMetric | Select-Object -First 1
    New-VMSwitch -Name $SwitchName -NetAdapterName $nic.Name -AllowManagementOS $true
}

Wired Ethernet only

A Wi-Fi-backed external switch gives the RTA internet but cannot present it as a distinct L2 peer, so ARP poisoning, Responder, and bettercap MITM will not work. Use a wired adapter.

3. Create the Gen2 VM and attach both disks

$VMName = "Sophos-RTA"
$Root   = "C:\RTA\rta_latest.vhdx"
$CIData = "C:\RTA\cidata.vhdx"

# Generation 2 VM, root disk attached, on the external switch
New-VM -Name $VMName -Generation 2 -MemoryStartupBytes 8GB `
       -VHDPath $Root -SwitchName $SwitchName

# 4 vCPU, static memory
Set-VM -Name $VMName -ProcessorCount 4 -StaticMemory

# Attach the cidata seed disk as a second SCSI disk
Add-VMHardDiskDrive -VMName $VMName -Path $CIData

# Secure Boot OFF (unsigned bootloader)
Set-VMFirmware -VMName $VMName -EnableSecureBoot Off

# Boot from the root disk
Set-VMFirmware -VMName $VMName `
    -FirstBootDevice (Get-VMHardDiskDrive -VMName $VMName | Where-Object Path -eq $Root)

# MAC address spoofing ON (required for L2 tooling)
Set-VMNetworkAdapter -VMName $VMName -MacAddressSpoofing On

Generation 2 + Secure Boot Off are both required

The image needs UEFI (Gen2) and an unsigned bootloader. A Gen1 VM won't boot it, and Secure Boot left On produces a black screen with "The unsigned image's hash is not allowed (DB)".

Attach both disks — the cidata disk carries the appliance identity

Without the cidata seed disk the appliance has no engagement identity and will not register.

4. Start the VM

Start-VM -Name "Sophos-RTA"

Or start it from Hyper-V Manager. The disks are customized for your engagement, so the appliance boots already registered and connects to the Sophos headend automatically — no further configuration is needed.

Verify

Open Hyper-V Manager, select the VM, and click Connect to open the VM console. Because this image is pre-registered, the console shows a live status and troubleshooting dashboard (network interface, VPN tunnel, connectivity health).

# Check the VM is running
Get-VM -Name "Sophos-RTA"

# Confirm Secure Boot is off
(Get-VMFirmware -VMName "Sophos-RTA").SecureBoot

# Confirm MAC spoofing is on
(Get-VMNetworkAdapter -VMName "Sophos-RTA").MacAddressSpoofing

# Confirm BOTH disks are attached
Get-VMHardDiskDrive -VMName "Sophos-RTA" | Select-Object Path

# Confirm the NIC is on an external switch
Get-VMSwitch -Name (Get-VMNetworkAdapter -VMName "Sophos-RTA").SwitchName | Select-Object SwitchType

Expected output: SecureBoot = Off, MacAddressSpoofing = On, two disk paths (rta_latest.vhdx and cidata.vhdx), SwitchType = External.

Network access

The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.

Allow this outbound destination
Destination connect.remotetesting.secureworks.com
IP addresses 3.33.194.251 and 15.197.255.2 (static — these do not change)
Port / protocol TCP 443, carrying OpenVPN (not HTTPS)
Direction Outbound only

Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.

Troubleshooting

Deployed but something isn't right?

See Hyper-V Server troubleshooting for the most common issues on this platform and how to fix them.